December 9, 2024 at 08:29AM
QNAP Systems announced security patches for vulnerabilities discovered at Pwn2Own Ireland 2024, including a severe command injection flaw (CVE-2024-50393) and a CRLF injection bug (CVE-2024-48868), both with CVSS scores of 8.7. Users are urged to update their systems to protect against potential attacks.
### Meeting Takeaways
1. **Vulnerability Patches Released**: QNAP Systems has released patches for multiple vulnerabilities in their QTS and QuTS Hero software following demonstrations at the Pwn2Own Ireland 2024 hacking contest.
2. **Severe Vulnerabilities**:
– **CVE-2024-50393**: A command injection flaw (CVSS score: **8.7**) allowing remote command execution.
– **CVE-2024-48868**: A CRLF injection flaw (CVSS score: **8.7**) that can alter application data.
– **CVE-2024-48865**: An improper certificate validation issue (CVSS score: **7.3**) posing a risk to local network security.
3. **Additional Vulnerabilities**: The patches also address medium and low-severity flaws, including improper authentication, additional CRLF injection issues, and a high-severity vulnerability in License Center (CVE-2024-48863, CVSS score: **7.7**).
4. **Software Update Versions**:
– QTS: **5.1.9.2954** (build 20241120), **5.2.2.2950** (build 20241114).
– QuTS Hero: **h5.1.9.2954** (build 20241120), **h5.2.2.2952** (build 20241116).
– License Center: **1.9.43**.
– Qsync Central: **4.4.0.16_20240819**.
5. **Recommended Action**: Users are strongly advised to update their software as soon as possible to protect against potential attacks, despite no current evidence of these vulnerabilities being exploited in the wild.
6. **Further Information**: More details on security advisories can be found on QNAP’s official website.
### Note:
Stay updated on security issues, as vulnerable devices are frequently targeted in cyberattacks.